Skip to content

Instantly share code, notes, and snippets.

@kost

kost/vboxelf2raw.sh

Created November 21, 2019 09:39
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save kost/606145346d47c5ed0469d4e9ac415927 to your computer and use it in GitHub Desktop.
Save kost/606145346d47c5ed0469d4e9ac415927 to your computer and use it in GitHub Desktop.
Download ZIP
Convert VirtualBox ELF memory dump to RAW memory dump
Raw
vboxelf2raw.sh
#!/bin/bash
# Script to convert from vbox elf format to raw (modified from andreafortun -kost)
# Memory dump of VirtualBox in Elf format:
# vboxmanage debugvm "win7test" dumpvmcore --filename testvbox.elf
# Usage: vboxelf2raw.sh testvbox.elf
if [ "$1x" == "x" ]; then
echo "Usage: vboxelf2raw.sh <file.elf> [out.raw]"
echo "Example: vboxelf2raw.sh testvbox.elf"
echo "vboxelf2raw.sh will output to testvbox.elf.raw if output is not specified"
exit 0
fi
inputfile=$1
if [ "$2x" == "x" ]; then
outputfile=$1.raw
else
outputfile=$2
fi
size=0x$(objdump -h $inputfile |egrep -w load1 | awk '{print $3}')
off=0x$(echo "obase=16;ibase=16;`objdump -h $inputfile |egrep -w load1 | awk '{print $6}'| tr /a-z/ /A-Z/`" | bc)
echo "$inputfile -> $outputfile (off: $off, size: $size)"
head -c $(($size+$off)) $inputfile |tail -c +$(($off+1)) > $outputfile
@cmueller-tp
Copy link

what about something like this?

#!/usr/bin/env bash

FILE=$1
OUTFILE=$2

set -e

failed() {
    echo "$1"
    exit 1
}

if [ -z $1 ]; then
   failed "usage: $0 <infile> <outfile>"
fi

if [ -z $2 ]; then
   failed "usage: $0 <infile> <outfile>"
fi

[ -f "$FILE" ] || failed "no such file or directory"
[ -f "$OUTFILE" ] && failed "outfile exists"

touch $OUTFILE

ELF_BASE_ADDRESS=0
while IFS= read -r SECTION; do
    CURRENT_SECTION_SIZE=$((16#$(echo $SECTION | cut -f1 -d' ')))
    CURRENT_SECTION_OFFSET=$((16#$(echo $SECTION | cut -f2 -d' ')))
    CURRENT_FILE_OFFSET=$((16#$(echo $SECTION | cut -f3 -d' ')))
    if [ $CURRENT_SECTION_SIZE -eq 0 ]; then
        continue
    fi

    FILE_SIZE=$(ls -l $OUTFILE | cut -d' ' -f5)
    PAD_SIZE=$(($CURRENT_SECTION_OFFSET - $FILE_SIZE))
    dd if=/dev/zero of=$OUTFILE bs=4096 seek=$(($FILE_SIZE / 4096)) count=$(($PAD_SIZE / 4096)) 2>/dev/null
    dd if=$FILE bs=16 skip=$(($CURRENT_FILE_OFFSET / 16)) count=$(($CURRENT_SECTION_SIZE / 16)) 2>/dev/null | dd of=$OUTFILE bs=4096 seek=$(($CURRENT_SECTION_OFFSET / 4096))
done < <(objdump -h $FILE  | egrep load | awk '{print $3, $5, $6}')

As there are multiple sections in the elf file, this is more complete. It's not good code, it's not fast, but it's more complete. Hope it helps someone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment